Add guide for enabling RGW with TLS certificate #671
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| ======================================== | ||
| How to enable RGW with a TLS certificate | ||
| ======================================== | ||
|
|
||
| This guide will demonstrate how to enable RGW with a TLS certificate, in order to access a MicroCeph single node installation through a https endpoint. | ||
|
|
||
| Prerequisites | ||
| ============= | ||
|
|
||
| - `a MicroCeph single node installation <https://canonical-microceph.readthedocs-hosted.com/latest/tutorial/get-started/>`_. This will have RGW enabled. | ||
| - `a valid TLS certificate`_. We will use Certbot to obtain a TLS certificate from Let's Encrypt. You can also use a self-signed certificate, or request one from an external/commercial CA. | ||
|
|
||
| .. _a valid TLS certificate: https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs | ||
|
|
||
| Get a TLS certificate with Certbot | ||
| ================================== | ||
|
|
||
| Certbot is a command line utility which makes acquiring and renewing SSL certificates from LetsEncrypt an easy, free and automated process. You can install Certbot with the snap or apt package manager. | ||
|
|
||
| Install Certbot | ||
| --------------- | ||
|
|
||
| To install Certbot with snap: | ||
|
|
||
| ``sudo snap install certbot --classic`` | ||
|
|
||
| Or apt: | ||
|
|
||
| ``sudo apt-get install certbot python3-certbot-apache -y`` | ||
|
|
||
| Get a certificate | ||
| ----------------- | ||
|
|
||
| In the following command, replace the placeholders with your domain and valid email address (for certificate renewals). | ||
|
|
||
| .. code:: | ||
|
|
||
| sudo certbot certonly --manual \ | ||
| --preferred-challenges dns \ | ||
| -d s3.yourdomain.com \ | ||
|
There was a problem hiding this comment. I came to this guide looking for a way to set up a local TLS certificate for development purposes, so I don't have a domain name to use. Should that be listed in the Prerequisites? |
||
| -m your-email@example.com \ | ||
| --agree-tos | ||
|
|
||
| You will be asked to set a DNS record in order to verify ownership of your domain. | ||
|
|
||
| .. code:: | ||
|
|
||
| Please deploy a DNS TXT record under the name: | ||
|
|
||
| _acme-challenge.s3.yourdomain.com. | ||
|
|
||
| with the following value: | ||
|
|
||
| MKc2mNJmrOuZ5-6zcxnD3NUCb_0w_mRG8bOPIA8K66w | ||
|
|
||
| Your certificate should be automatically issued and downloaded. | ||
|
Collaborator
There was a problem hiding this comment. This assumes that users have control over the DNS of the domain they want to host it on. I'm a bit worried that creating TLS certs will get out of scope for this tutorial. I'd lean towards asking for certs as a preqrequisite, provide pointers to instructions on how to get one (certbot if they can, self-signed or bought otherwise)
Author
There was a problem hiding this comment. Again this is just one option. But yes, it may be better to skip it entirely, and just link to a full ressource on the topic. |
||
|
|
||
|
|
||
| Disable RGW | ||
| =========== | ||
|
|
||
| If you try enabling RGW when it is already enabled, you will get the following error: | ||
|
|
||
| .. code:: | ||
|
|
||
| Error: failed placing service rgw: host failed hospitality checks | ||
| for rgw enablement: rgw service already active on host` | ||
|
|
||
| So, if you followed the above guide to set up your MicroCeph node, you first need to run: | ||
|
|
||
| .. code:: | ||
|
|
||
| sudo microceph disable rgw | ||
|
|
||
| Enable RGW with your certificate | ||
| ================================ | ||
|
|
||
| The ``enable`` command expects the actual base 64 certificate and key, not just the file path. This can be done with the following command, where you will need to substitute the actual path to your certificate and key. | ||
|
|
||
| .. code:: | ||
|
|
||
| sudo microceph enable rgw \ | ||
| --ssl-certificate "$(base64 -w0 ./domain.crt)" \ | ||
| --ssl-private-key "$(base64 -w0 ./domain.key)" | ||
|
Collaborator
There was a problem hiding this comment. Nit: typically certbot will create a 0600 root owned key, which means the base64 which is running with non-sudo privs here won't be able to read it
Author
There was a problem hiding this comment. I'm not sure how to resolve that. This worked in my testing with a non root, sudo privileged user. Would you have a technical suggestion? |
||
|
|
||
| .. note:: | ||
| If you used Let's Encrypt to obtain your certificate, the paths should look like ``/etc/letsencrypt/live/s3.yourdomain.com/fullchain.pem`` for the certificate and ``/etc/letsencrypt/live/s3.yourdomain.com/privkey.pem`` for the key. | ||
|
|
||
| If your port 443 is already in use, you can specify a different SSL port: | ||
|
|
||
| .. code:: | ||
|
|
||
| sudo microceph enable rgw \ | ||
| --ssl-port 7443 \ | ||
| --ssl-certificate "$(base64 -w0 ./domain.crt)" \ | ||
| --ssl-private-key "$(base64 -w0 ./domain.key)" | ||
|
Author
There was a problem hiding this comment. Noted. Same fix to apply when determined. |
||
|
|
||
| .. note:: | ||
| If you use a different port number, you will need to include it when accessing your endpoint: in this example, connect to ``https://s3.yourdomain.com:7443`` | ||
|
|
||
| Verify the configuration | ||
| ======================== | ||
|
|
||
| You can check your configuration with the following command: ``cat /var/snap/microceph/current/conf/radosgw.conf`` | ||
|
|
||
| The output should be similar to this, with your own IP address and port number: | ||
|
|
||
| .. code:: | ||
|
|
||
| # Generated by MicroCeph, DO NOT EDIT. | ||
| [global] | ||
| mon host = [IP ADDRESS] | ||
| run dir = /var/snap/microceph/1601/run | ||
| auth allow insecure global id reclaim = false | ||
|
|
||
| [client.radosgw.gateway] | ||
| rgw init timeout = 1200 | ||
| rgw frontends = beast ssl_port=7443 ssl_certificate=/var/snap/microceph/ common/server.crt ssl_private_key=/var/snap/microceph/common/server.key | ||
|
|
||
| Connect to your endpoint | ||
| ======================== | ||
|
|
||
| You can now use your chosen domain name to access your S3 endpoint through https. | ||
|
|
||
| .. code-block:: console | ||
|
|
||
| $ curl https://s3.yourdomain.com:7443 | ||
|
|
||
| <?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>anonymous</ID></Owner><Buckets></Buckets></ListAllMyBucketsResult># | ||
|
|
||
| .. note:: | ||
| If your certificate is self-signed, you may get a browser warning. This is okay to bypass, but we recommend using Certbot. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, we're listing this under
Prerequisitesbut at the same time say we're going to create one which seems contradictory. Personally I'd lean towards asking for a cert as a prereq. and only providing pointers on how to obtain one (LetsEncrypt or other means).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point. The problem is that we don't have a good tutorial for how to get certificates, that we could link to. @skoech and myself were actually discussing writing one, but in the meantime decided to provide one possible way here, so that users of this guide can still go forward even if they don't know the whole certificate story.